Monday, January 24, 2011

Forensic Tools and Live CDs

Most of the time, we do not really care about our computers. They are a means to an end, or many ends. Games, Internet, work, you name it. When everything works, the PC is a somewhat noisy beast that lets us do what we want - most of the time. But what happens when something goes wrong?

Suddenly, your machine won't boot. Suddenly, you have managed to contract malware. Your hard disk is misbehaving, your partitions are gone, your files are gone. These kinds of disasters are all too common. Unfortunately, very few people think about them, let alone prepare for them.

Don't be one of them You can avoid - or at the very least, minimize - risks and damages by exercising a continuous, pro-active approach to integrity and security. It begins with very basic concepts of data backup and simple desktop maintenance and extends beyond disasters into evidence collection and analysis, incidence reporting, vulnerability discovery and patching, and damage control.

In this series of articles, we will talk about specialized Linux distributions that are particularly suited for these kinds of tasks: incidence response, data recovery, security audits, and investigation of system failures. In one word, we will talk about forensics-oriented distributions. Today, we will just introduce the topic. In the follow-up articles, we will review several highly useful, dedicated forensics Linux distributions.

So, before you start ... There are some things you need to know.

First, you can custom-build your own set for utilities for the task - for example, run Ubuntu, load it with goodies and then create a bootable image with Remastersys - however, you might as well rely on security professional to do the job for you. Let them create the tools; you use them.

Second, analyzing and fixing system failures and security breaches takes a bit of knowledge. Therefore, if you're not really familiar with system internals, either Linux, Windows or both, you might not be able to fully utilize the power of tools presented here. Still, it does not hurt to be aware of them and have them handy, in case of a disaster.

Third, forensics of the kind we are talking about here is the 2nd or even a 3rd level of response. There's much you can do before turning to heavy-duty hacking. Thus, enter the must-have toolbox for any security conscious (Linux) user:

Must-have toolbox The tools listed below should always be within your reach. Most of them come as individual live CDs, so you should carry a pouch with you. If you're extra-geeky, you might even use them from bootable USB drives. Whatever the case, you should have them ready for instant use, whether you're at home, work, a friend's place, or traveling abroad.

This is a live CD specifically geared toward rescue and recovery. The tools package includes some of the most important tools available for Linux user, like GParted, PartImage, Grub, Lilo, sfdisk, TestDisk, and more.

PartImage is a powerful, friendly disk/partition imaging software, allowing you to quickly and easily backup and recover your entire disks or individual partitions, including the Windows NTFS filesystem.You can learn more about how to use Partimage in my tutorial: Free imaging software - CloneZilla & PartImage - Tutorial. PartImage is included with the SystemRescueCD.

Another extremely important tool is TestDisk. This tool allows to recover lost partitions, make not-bootable disks boot again and restore delete files. It is one of the more effective and powerful utilities on the market. When everything else fails, TestDisk won't. TestDisk is included with the SystemRescueCD.

Super Grub Disk is intended to run from a floppy disk or CD and is used for system rescue. Most importantly, it can be used to restore boot loaders, including GRUB, LILO and even Windows boot loader.

Other tools

Even though this article is geared toward Linux users, there's a fair chance they will be asked upon to act on behalf of a Windows friend in need, in which case they should be familiar with Windows tools as well. The best choice for Windows is:

Of the two distros, CAINE seems to be closest in look, feel, and functionality to the Helix3 environment. It is based on Ubuntu Linux 8.04, and contains a Windows autorun GUI. CAINE is available as a 643MB ISO download from http://www.caine-live.net/, and it is version 0.5 that is used in this review.

CAINE started as the graduation thesis of the lead developer, Giancarlo Giustini, at the Information Engineering Department of the University of Modena e Reggio Emilia, Italy. CAINE was designed to wrap the common forensic tools in a user-friendly GUI to help streamline the investigative process.

On the Windows side, CAINE provides WinTaylor, a point-and-click interface to many incident response and collection tools. The autorun utility pops up first, presenting the standard disclaimers, and gives the user the option to install the VB6 Runtime library, or the ability to register the .ocx files if running under Vista, if needed (see Figure 1).

Figure 1 - CAINE startup screen under Windows

An alterative to using the WinTaylor GUI is to run the forensic utilities from inside Windows Internet Explorer. As always, it is important to remember that everything done on a live system modifies the system being examined, and all efforts should be made to minimize any changes to the system (see Figure 2).

Figure 2 - WinTaylor, a GUI for a large number of Windows based forensic tools

Once WinTaylor is started, the Analysis 1 tab provides access to a number of NIRSoft and other tools used for extracting system and personal information. It is recommended that you disable any Anti-virus programs, as many of these tools are often flagged as hacking tools, trojans, or backdoors. Analysis 2 Tab contains RAM and Network tools such as MDD< Win32dd, Winen, fport, TCPView and Advanced LAN Scanner. Analysis 3 contains FTK Imager, Windows Forensic Toolchest, and Nigilant 32. The remaining two tabs provide access to the Sysinternals Suite of tools in either a GUI or command line environment. In addition, the GUI provides access screen snapshot utility and a file hash calculator.

DEFT v4 is based on Xubuntu Linux, and is available as a 700MB ISO download for either CD or USB, and even a special version for the EEE PC, from http://www.deftlinux.net/, and like CAINE, is based in Italy. Unlike CAINE and Helix3, DEFT presents a more compact look and feel. By default, DEFT doesnt use a GUI in either Windows or Linux. DEFT makes it very clear on it's website that DEFT it isn't for newbie[s]

When inserted into Windows system, not much will happen, but in many ways that is a good thing. As I have mentioned numerous times, anything you run on a live system modifies that system. The GUI interfaces of Helix3 and CAINE both consume and overwrite RAM, potentially destroying evidence.
Since DEFT doesnt autorun a GUI, the user must be comfortable with command-line executables and parameters (a skill I see quickly disappearing in many college students).

The Windows based utilities are located in the deft_extra directory, and there are a lot of them. Aside from all the standard collection utilities, there are a number of other open source utilities such as Abiword, various editor, pdf viewer, antivirus utilities, and many, many more. These additional tools allow investigator to perform additional tasks while having minimal impact on the suspect system. These tools can also be transferred to a forensic workstation and installed. There is also an index.html file in this directory that will give you a better idea of all the tools that are available.

And Just One More

Another interesting distribution is SUMO (Security Utilizing Multiple Options) Linux from Sun Tzu Data and Marcus J. Carey which is a multi-boot DVD image, which allows the user to select from and boot the following CDs:

This ISO image is 3.6GB, is available from http://sumolinux.suntzudata.com/, and is distributed via bittorrent. Aside from the forensics capabilities provided by Helix and Backtrack, as well as the additional security tools provided by Backtrack and dban, this makes for a well-rounded security utility DVD that should be in all computer guru's toolbox. And there is just enough room that you could probably squeeze CAINE and/or DEFT into it. Now that would really be something.

Here’s a well-rounded selection of security and forensics tools and resources that are almost certainly will have you scrabbling around for a system or two to throw them at.

More Links - Windows Incident Response – Harlan has a most excellent and jam-packed post full of forensics goodies such as a reference to a new Windows memory imaging tool update for the free Win32dd. Also in that post was introduction (to me) of a new system info-gathering tool called MIR-ROR. Like similar “collective” tools such as his own RegRipper, Security Database’s Evidence Collector, and Mandiant’s First Response these multi-function info collection tools aren’t solutions in themselves, but they can make the collection of first-pass level logs and information simpler. Armed with these after careful analysis by the responder, more surgical system analysis can take place with task-specific tools. I’ll let Harlan’s own words on MIR-ROR speak for themselves…

I recently heard about a tool called MIR-ROR, put together originally by Troy Larson and then expanded by Russ McRee, both of Microsoft. Russ blogged about it here, and there's a toolsmith article available on it, as well. MIR-ROR is a batch file that is useful for running tools on a system as part of incident response; what I like about this is that Russ isn't sitting back hoping that someone does something like this, he's taking advantage of his knowledge and capabilities to put this together. And he's made it available to the public, along with instructions on how to run it. I like tools like this because they're self-documenting...properly constructed and commented, they serve as their own documentation. As always, the standard caveat applies...use/deploy tools like this as part of an incident response plan. If your plan says you need to acquire a pristine image of the drive first, you will want to consider holding off on using a tool like this...

You will have to collect many of the executables that are needed and assemble them into the package. The documentation is great. As I recall I found a few references that were off but some patient Googling turned up the correct locations and I soon had it all put together.

Memory Acquisition for First Responders – Forensic Incidence Response blog – Since I just mentioned win32dd this post by hogfly came at an opportune time. I believe that while memory acquisition and imaging is still primarily of use to forensic examiners, system admins can use the same lessons and apply them when doing incident response to a malware-infected system. As I say over and over again, too many IT Techs when getting a report of a virus/trojan/malware infection just run roughshod over the system with anti-virus/anti-malware cleaning tools and remove critical information to help understand WHAT is going on and WHY. There are LOTS of great Windows-based tools to capture memory images and data…many of them free (another post) so there’s little excuse not to capture an image of the memory of an infected system before going to town on the cleaning. Getting a sector-based image of the physical drive could also be valuable as well. This gets the end-user up and producing again and lets the analysts have more time in the lab dissecting the cadaver without everyone breathing down their neck with impatience.

Live Analysis Part I - Changing of the Guard - The Digital Standard – Thoughtful post by cepogue on just that prior theme. Sometimes some incidents (or organizational attitudes/processes just don’t support the “by-the-book” Incident Response handling methodologies. Managers want the system cleaned and up and running, users complain about loss productivity, you can’t convince anyone who matters about the need to determine what if any data may have leaked. So many techs (and “my-blood-runs-IR” analysts) have to do a crash-n-dash response. That said, with skill and pre-planning, you can still make the best of a bad IR situation and hopefully walk away with valuable info despite the organizational “head-in-the-sand” culture. I’m looking forward to Part II.

Directory Link Counts and Hidden Directories – SANS Forensics blog – This post was a neat review of Unix file-structure handling and how to leverage it for searching for hidden directories. I was wondering if there was a Windows-supported solution. I saw in the comments note that OSSEC has this ability and in poking around found an agent tool compatible with Windows in the Downloads section. Though not exactly the same there is Joanna’s tool FLISTER from her invisiblethings.org tools page which might be worth looking into as well for Windows folks.

Helix3 2009R1 FREE is once again available for download from the developers. Please see this GSD post Helix3: Thanks for the memories… to come up to speed on the issue. A recent comment by Lauren on that post got me looking around (and I did have to look hard to find it!) for the download link on the e-fense site. It can be found here. Registration is required to get to the download page, but if you hadn’t already tucked away a ISO file of the last free version, you do now have a safe option to get it fresh. Of course, to e-fense’s credit, they would rather you pony up some $ to get the newest (non-free) version of HelixPro and depending on your needs, that might be a better thing to do. Either way, it’s nice having the choice again.

Download HelixCE200401brc1.iso RC1!!! Updated – Meanwhile, out of the previous “Helix going commercial” drama mentioned above, Charles Tendell struck on a new Helix “Community Edition” version. Due to licensing and other issues (RE: IAMAL) , he had to strip out some e-fense specifically-developed apps from his build that were present in the original Helix project builds. However he continues to plug away at filling the voids with new tools from other sources. Check it out including these screenshots and application list.

Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Ophcrack 3.3.0 and Ophcrack LiveCD 2.3.0. – New versions of these password auditing/cracking tools are now available. Don’t let the unsync’ed versioning fool you. The main program is version 3.3.0 and the LiveCD version 2.3.0 contains the program version 3.3.0. Go figure. Changes in the new version are described on their News page as follows:

Ophcrack version 3.3.0 includes support for our new tables vista_seven. These tables crack 99% of passwords of length 7 composed of almost any character including special characters. This table set will be included in our professional tables bundle.
New features have been added like the table size verification in order to warn the user if the tables have not been fully downloaded for example. It is also possible to tune how the preloading should be done.
An important effort was made to release a brand new LiveCD. A very interesting and refreshing distribution called Slitaz was customized to make a lighter than ever ophcrack LiveCD. It should enable us to update the LiveCD more often and to make your experience much better too. We would like to thank Slitaz team for their support in making this LiveCD. Do not hesitate to give a look at their stable distribution!

NetworkMiner v0.88 – New release on this awesome packet-capture management tool. What I really like about it is the ability to parse PCAP files for offline study as well as the ability to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB. I don’t have to packet-sniff often, but when I do and I need to analyze a lot of the content being moved, this is the first tool I reach for…hands down!